1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Signed Image Authentication Test
8 This test verifies image authentication for unsigned images.
15 @pytest.mark.boardspec('sandbox')
16 @pytest.mark.buildconfigspec('efi_secure_boot')
17 @pytest.mark.buildconfigspec('cmd_efidebug')
18 @pytest.mark.buildconfigspec('cmd_fat')
19 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
21 class TestEfiUnsignedImage(object):
22 def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env):
24 Test Case 1 - rejected when not digest in db or dbx
26 u_boot_console.restart_uboot()
27 disk_img = efi_boot_env
28 with u_boot_console.log.section('Test Case 1'):
30 output = u_boot_console.run_command_list([
31 'host bind 0 %s' % disk_img,
32 'fatload host 0:1 4000000 KEK.auth',
33 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK; echo',
34 'fatload host 0:1 4000000 PK.auth',
35 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
36 assert(not re.search('Failed to set EFI variable', ''.join(output)))
38 output = u_boot_console.run_command_list([
39 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
40 'efidebug boot next 1',
42 assert(re.search('\'HELLO\' failed', ''.join(output)))
43 output = u_boot_console.run_command_list([
44 'efidebug boot next 1',
45 'efidebug test bootmgr'])
46 assert(re.search('efi_start_image[(][)] returned: 26',
48 assert(not re.search('Hello, world!', ''.join(output)))
50 def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env):
52 Test Case 2 - authenticated by digest in db
54 u_boot_console.restart_uboot()
55 disk_img = efi_boot_env
56 with u_boot_console.log.section('Test Case 2'):
58 output = u_boot_console.run_command_list([
59 'host bind 0 %s' % disk_img,
60 'fatload host 0:1 4000000 db_hello.auth',
61 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db; echo',
62 'fatload host 0:1 4000000 KEK.auth',
63 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
64 'fatload host 0:1 4000000 PK.auth',
65 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
66 assert(not re.search('Failed to set EFI variable', ''.join(output)))
68 output = u_boot_console.run_command_list([
69 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
70 'efidebug boot next 1',
72 assert(re.search('Hello, world!', ''.join(output)))
74 def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env):
76 Test Case 3 - rejected by digest in dbx
78 u_boot_console.restart_uboot()
79 disk_img = efi_boot_env
80 with u_boot_console.log.section('Test Case 3a'):
81 # Test Case 3a, rejected by dbx
82 output = u_boot_console.run_command_list([
83 'host bind 0 %s' % disk_img,
84 'fatload host 0:1 4000000 db_hello.auth',
85 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo',
86 'fatload host 0:1 4000000 KEK.auth',
87 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
88 'fatload host 0:1 4000000 PK.auth',
89 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
90 assert(not re.search('Failed to set EFI variable', ''.join(output)))
92 output = u_boot_console.run_command_list([
93 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
94 'efidebug boot next 1',
96 assert(re.search('\'HELLO\' failed', ''.join(output)))
97 output = u_boot_console.run_command_list([
98 'efidebug boot next 1',
99 'efidebug test bootmgr'])
100 assert(re.search('efi_start_image[(][)] returned: 26',
102 assert(not re.search('Hello, world!', ''.join(output)))
104 with u_boot_console.log.section('Test Case 3b'):
105 # Test Case 3b, rejected by dbx even if db allows
106 output = u_boot_console.run_command_list([
107 'fatload host 0:1 4000000 db_hello.auth',
108 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
109 assert(not re.search('Failed to set EFI variable', ''.join(output)))
111 output = u_boot_console.run_command_list([
112 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
113 'efidebug boot next 1',
115 assert(re.search('\'HELLO\' failed', ''.join(output)))
116 output = u_boot_console.run_command_list([
117 'efidebug boot next 1',
118 'efidebug test bootmgr'])
119 assert(re.search('efi_start_image[(][)] returned: 26',
121 assert(not re.search('Hello, world!', ''.join(output)))